In an unprecedented memo to state survey and credentialing agencies earlier this month, the Centers for Medicare & Medicaid Services directed state survey teams to begin enforcing federal privacy regulations to protect patients from social media abuses. The memo cites recent media reports as impetus for the crackdown.

In its memo, dated Aug. 5, 2016, CMS orders state survey teams to review nursing home policies and procedures related to social media abuses beginning in September, and continuing until all skilled nursing homes have been inspected. The memo points out that staff training alone is not enough, and that compliance must include plans for implementing daily practices that protect residents’ privacy. The memo defines “staff” as employees, consultants, contractors, volunteers and others who provide care services to residents.

Indeed, a growing number of  reports are exposing horrific examples of staff members taking embarrassing photos and videos of residents, and then sharing them with friends.  

ProPublica and the Washington Post have been especially out front on this issue. Here is some background to give you an idea of what is taking place:

In December 2015, reports co-published by ProPublica and the Washington Post revealed startling social media abuses within long-term care facilities. Indeed, the findings initially documented 37 incidents since 2012, exposing nursing home workers across the country for posting embarrassing photos of elderly residents on social media. In some cases, residents were partially or completely naked. At least 16 cases involved Snapchat, a social media platform where photos appear a few seconds, and then disappear.

Details of the incidents came from government reports, court cases and stories in the media.

An excerpt from one report on the ProPublica website:                                 

“In February 2014, a nursing assistant at Prestige Post-Acute and Rehab Center in Centralia, Wash., sent a co-worker a Snapchat video of a resident sitting on a bedside portable toilet with her pants below her knees while laughing and singing.”

This February at Autumn Care Center in Newark, Ohio, a nursing assistant recorded a video of residents lying in bed as they were coached to say, ‘I’m in love with the coco,’ the lyrics of a gangster rap song (‘coco’ is slang for cocaine). Across a female resident’s chest was a banner that read, ‘Got these hoes trained.’ It was shared on Snapchat.”

In the latter case, the woman’s son told federal investigators that his mother had worked as a church secretary for 30 years, and would have been mortified.

In some cases, employees have faced criminal charges. 

Meanwhile, in July, the U.S. Office for Civil Rights announced that federal audits have moved into “high gear” under the Health Information Portability and Accountability Act (HIPAA). Those federal audits are in addition to the inspections that state survey teams have now been ordered to conduct.

Case points to Business Associate Agreements as critical

 

When it comes to HIPAA enforcement, you can’t hide behind a cloak.  That is the message of the federal government’s settlement with the Archdiocese of Philadelphia.

The Diocese will pay $650,000 to settle potential violations under the Health Insurance Portability and Accountability Act (HIPAA), relating to the theft of a mobile device containing protected health information for 412 nursing home residents.

In this and other recent actions, the feds are underscoring an emphasis on holding Business Associates accountable for safeguarding patient information.

In the Philadelphia case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities.  Here is what happened, according to an announcement by the U. S. Office for Civil Rights (OCR):

In April 2014, ORC  initiated an investigation following the theft of a CHCS-issued employee iPhone.  The iPhone was unencrypted and was not password protected.  The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.

Investigators found that CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.

The feds signaled they went light on the settlement amount, saying they considered that CHCS provides much-needed services in the Philadelphia area.

The Resolution Agreement and Corrective Action Plan can be found on the OCR website at:http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html.

Aug. 16, 2016 -- It's pretty easy to understand why the Centers for Medicare & Medicaid Services (CMS) just announced a crackdown on social media abuses against residents in skilled nursing homes.  It's because so many media reports are exposing horrible examples of staff members taking embarrassing photos and videos of residents, and then sharing them with friends.   Beginning Sept. 4, state survey and credentialing teams will begin a federally mandated crackdown to enforce protection measures for nursing home residents.

Here is some background to give you an idea of what is taking place:

In December 2015, reports co-published by ProPublica and the Washington Post revealed startling social media abuses within long-term care facilities. Indeed, the findings initially documented 37 incidents since 2012, exposing nursing home workers across the country for posting embarrassing photos of elderly residents on social media. In some cases, residents were partially or completely naked. At least 16 cases involved Snapchat, a social media platform where photos appear a few seconds, and then disappear.

Details of the incidents came from government reports, court cases and stories in the media.

An excerpt from one report on the ProPublica website:                                 

“In February 2014, a nursing assistant at Prestige Post-Acute and Rehab Center in Centralia, Wash., sent a co-worker a Snapchat video of a resident sitting on a bedside portable toilet with her pants below her knees while laughing and singing.”

This February at Autumn Care Center in Newark, Ohio, a nursing assistant recorded a video of residents lying in bed as they were coached to say, ‘I’m in love with the coco,’ the lyrics of a gangster rap song (‘coco’ is slang for cocaine). Across a female resident’s chest was a banner that read, ‘Got these hoes trained.’ It was shared on Snapchat.”

In the latter case, the woman’s son told federal investigators that his mother had worked as a church secretary for 30 years, and would have been mortified.

In some cases, employees have faced criminal charges, as the chart below indicates.

 

Social Media Abuses in Nursing Homes Chart

Meanwhile, in July, the U.S. Office for Civil Rights announced that federal audits have moved into “high gear” under the Health Information Portability and Accountability Act (HIPAA). Those federal audits are in addition to the inspections that state survey teams have now been ordered to conduct.

The charts below include examples of recent settlements under HIPAA:

Slides HIPAA Audits Go High Gear Large Providers

Compiled from government reports by MyHIPAA Guide

Slides HIPAA Audits Go High Gear Small Providers

Compiled from government reports by MyHIPAA Guide

CMS’ Missive to Skilled Nursing Homes: You’ve Got 30 Days

Crackdown on Social Media Abuses Begins Sept. 4, 2016

New Privacy Offerings Help Nursing Homes Meet Deadline

Aug. 15, 2016 -- In an unprecedented memo to state survey and credentialing agencies, the Centers for Medicare & Medicaid Services directed state survey teams to begin enforcing privacy policies and procedures to protect patients from social media abuses. The memo cited recent media reports of social media abuses. Some of those reports detail horrific examples of nursing home residents on public display, sometimes partially or fully naked. Incidents often involve patients with dementia -- with staff members taking photos or video of demeaning scenes, and then sharing them with friends.

In its memo, issued on Aug. 5, 2016, CMS orders state survey teams to review nursing home policies and procedures related to social media abuses beginning Sept. 4, 2016, and continuing until all skilled nursing homes have been inspected. The memo points out that staff training alone is not enough, and that compliance must include plans for implementing daily practices that protect residents’ privacy. The memo defines “staff” as employees, consultants, contractors, volunteers and others who provide care services to residents. 

In January 2016, MyHIPAA Guide, of Akron, Ohio, and Pedagogy Inc., of Troup, Texas, began working on a training and compliance program with special emphasis on social media abuses. Currently, two accredited online courses are available:

Responsibilities for Managing HIPAA Compliance offers training for managers putting compliance plans in place, and Social Media Rules for Nurses and Healthcare Providers educates staff on how abuses often happen, and how they can be prevented.

A bulk packages of seats in the two courses comes with a compliance service offering, called A Nursing Home’s Total Privacy Plan, offered by MyHIPAA Guide. This Total Privacy Plan gives nursing homes a complete compliance management program, including social media guidelines, a secure online whistleblower service, posters, monthly training webinars, and regular news updates on privacy requirements. 

The classes may also be purchased separately through Pedagogy.  Discounts are available for bulk purchases.

To learn more about social media abuses in nursing homes, click here.

Total Privacy Plan

Contact Diane Evans at This email address is being protected from spambots. You need JavaScript enabled to view it. for more details about A Nursing Home's Total Privacy Plan, or Capra Dalton at This email address is being protected from spambots. You need JavaScript enabled to view it. for information about purchasing courses separately.

Or click here to sign up now.

 

About MyHIPAA Guide: Visit MyHIPAAGuide.com, read about us in Crain’s Cleveland Business, or check out our guest viewpoint in the June issue of Compliance Today.

About Pedagogy Inc: Pedagogy offers nationally accredited online continuing education (CEU/CNE) courses and in-services for nurses, certified nursing assistants, CNA's, and other healthcare professionals.

Browse Pedagogy's class catalog to see all course descriptions and curriculum by subject category; courses may be purchased individually on the Pedagogy website.

Monday, 18 July 2016 11:03

Know Your Patients' Rights

Written by

By Diane Evans

Publisher, MyHIPAA Guide

Patients may have more rights over their health records than you realize.

Under today’s privacy rules, consent entails far more than a “check-the-box” exercise as in the past.  Yet, according to government sources, an estimated 27% of Americans aren’t even aware of their basic right to electronic copies of their medical records.

In a public awareness effort, the feds recently released information, including videos, to educate the public so people can make choices based on personal preferences. 

Meanwhile, here are some of the key points to keep in mind, based on information in a model Patient Privacy Notice published by the federal government:

·        Patients are permitted to see, or get an electronic or paper copy, of their medical record and other health information a doctor has about them.  Generally patients should expect to have copies of their records within 30 days of a request, and they may be charged a reasonable fee, based on allowable calculations.

·        Patients may ask their doctor to correct health information they believe is incorrect or incomplete.  The doctor may say no, but should offer a written explanation of why within 60 days.

·        Patients may ask for a list of the times their health information has been shared, who received it and why, going back six years..

·        If a patient pays out-of-pocket in full for a service or health care item, the patient can ask a doctor not to share that information with the patient’s health insurer.  The doctor should say yes unless a law requires the sharing of certain information.

·        If a patient has a legal guardian, or has given someone medical power of attorney, that person can exercise the patient’s rights and make choices about his or her health information.

In addition, a patient can ask to be contacted in a specific way, such as at an office phone or at a different mailing address.  In its Guide to Privacy and Security of Electronic Health Information, the feds tell health care providers they “must accommodate reasonable requests” from patients.  For example, a patient may request that appointment reminders be left on their work voicemail rather than home phone voicemail.

For those who prefer email communications, healthcare providers may send unencrypted emails. However, the patient should consent to unsecured emails based on an understanding of the risks.

There are certain things that HIPAA does not do, and these limitations should be understood as well, as detailed in a federally produced Fact Sheet titled Medical Privacy of Protected Health Information.

For example, the Fact Sheet points out tat healthcare providers can share protected health information, without a patient’s permission, with:  

·        Other professionals who are treating that individual;;

·        Health plans and other entities for billing and payment purposes;

·        Certain public health and safety officials, for situations such as disease prevention, product recalls, suspected abuse, neglect or domestic violence.

In addition, the Fact Sheet notes:

·        HIPAA does not prevent calls or visits to hospitals by a patient’s family or friends, the clergy, or anyone else. As long as the patient does not object, health care professionals may provide information to a patient’s family, friends, or anyone else identified by a patient as involved in his or her care.

 

·        Unless a patient objects, basic information such as the patient’s phone and room number may appear in a hospital directory.

 

·        Members of the clergy may access a patient’s religious affiliation if provided by the patient, and they do not have to ask for patients by name.

 

·        If a patient is incapacitated, healthcare providers may share information with a patient’s family or friends if they believe doing so is in the patient’s best interest.

 

One other thing to keep in mind:  Information sometimes slips out in ways that do not violate federal privacy rules.HIPAA does not eliminate all so-called “incidental disclosures” of patient information.  Incidental disclosures are considered acceptable if a healthcare provider has policies and procedures in place to reasonably safeguard protected  health information.  An incidental disclosure might happen if a hospital visitor overhears a provider’s confidential conversation taking place, or if someone glimpses a patient’s name on a sign-in sheet or nursing station whiteboard.

Throughout its published materials, the federal government clearly acknowledges that no one healthcare provider can totally eliminate the risk of unauthorized disclosures.  Privacy rules set out to reduce risk to the greatest extent reasonably possible.

 

Thursday, 14 July 2016 13:31

Get Info about Patient Rights

Written by

Here are resources to help clarify the rights of patients under HIPAA Rules:

Model Patient Privacy Notice, produced by the federal government, and containing a listing of your rights.

Explanation of how your doctor may calculate fees charged for copies of your health records.

In its Guide to Privacy and Security of Electronic Health Information, the feds tell health care providers they “must accommodate reasonable requests” from patients.

 

This Fact Sheet, titled Medical Privacy of Protected Health Information, offers a good overview of patient rights.

 

To learn more about incidental disclosures that are permissible under HIPAA, click here.

 

Some additional things to be aware of:

Page 5634 of the Privacy Rule states that: “Covered entities are permitted to send an individual unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”
The important thing is the patients/guardians are advised of risks, and that they consent based on personal preference.

Also, be aware of this provision on Page 5634 of the Privacy Rule:

“Covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”

In a memo released last month, the U.S. Office for Civil Rights (OCR) raised this question: Is Your Business Associate Prepared for a Security Incident?

Well, how would you answer?

The issue is critical, as OCR audits are in progress under the federal Health Insurance Portability and Accountability Act (HIPAA). The audits extend to business associates, and according to OCR, business associates will need to demonstrate security risk analysis, risk management, and breach reporting procedures.

In its memo, OCR refers to a widespread perception that it is difficult for healthcare providers to know whether their business associates are adequately protecting patient information.

First, let's make sure you know who your business associates are.  In sum, a business associate is any outside person or company with whom you share protected health or personally identifiable information about the people you serve. 

They -- through you -- are obligated to meet all federal privacy and security laws to protect that information.  This includes billing companies, technology vendors, temporary staffing companies and anyone else with potential assess to patient information.  With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.


In its new memo, OCR also says you should plan in advance for how you will confront a breach by a business associate, including subcontractors. OCR’s memo recommends the following:

1. Business associate agreements should define how and for what purposes patient information may be used or disclosed. Be clear about what constitutes unauthorized disclosures and incidents that need to be reported back to the HIPAA-covered healthcare provider.

HIPAA defines “security incidents” as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system. This could include:

  • Attempts (either failed or successful) to gain unauthorized access to electronic Patient Health Information (ePHI), or a system that contains ePHI;
  • Unwanted disruption to systems that contain ePHI;
  • Changes to system hardware or software characteristics without the owner's knowledge or consent.

2. Business associate agreements should specify the time frame for business associates or subcontractors to report a breach, security incident, or cyber-attack. Keep in mind: Reporting should be prompt, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR and, in some cases, the media.

The federal government’s website says that HIPAA-covered providers should file a breach notification by filling out and electronically submitting a breach report form to the U.S. Department of Health and Human Services.

If a breach affects 500 or more individuals, covered entities must file a report promptly, and in no case later than 60 days following a breach. If a breach affects fewer than 500 individuals, the covered entity must submit notification no later than 60 days after the end of the calendar year in which breach is discovered. The government’s website also describes circumstances that require reporting to the media.

3. Business associate agreements should identify the type of information a business associate or subcontractor will need to provide in a breach or security incident report. Such reports should include the business associate’s name and point of contact information, and descriptions of:

  • What happened, including the date of the incident and the date of the discovery of the incident, if known.
  • The types of protected health information potentially compromised due to the incident.
  • How the business associate is investigating the incident, and what measures are being taken to protect against further incidents.

4. Finally, covered entities and business associates should train workforce members on incident reporting. OCR says covered entities may want to conduct security to make sure their business agreements are being enforced.

Questions? Contact Diane Evans, Publisher of MyHIPAA Guide, at 330-990-1470, or by email at This email address is being protected from spambots. You need JavaScript enabled to view it..   This article is for informational purposes and does not constitute legal advice for individual circumstances.

Read about the first criminal charges under HIPAA law, in a commentary by MyHIPAA Guide Publisher Diane Evans, in the June 2016 issue of Compliance Today:

June2016 OpEd

Page 2 of 3

10 Step HIPAA Plan

  • Step 1: Confirm you are a covered entity +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Provide leadership +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Document processes, findings, and actions +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Manage and mitigate risks +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Prevent breaches +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Communicate with patients +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    • Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Update or execute Business Associate Agreements (BAAs) +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Attest to Compliance with Security Objectives +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Login

Member Access